Will disabling "Always use HTTPS" for edge certificates make my website more vulnerable

Will disabling “Always use HTTPS” for edge certificates make my website more vulnerable, even if all other settings are configured to use HTTPS i.e. with HSTS, TLS 1.0, Opportunistic encryption, TLS 1.3 and Automatic HTTPS Rewrites all enabled?

That setting only automatically redirects all HTTP links to HTTPS. If there is no other redirect, your site will load on HTTP, which is not encrypted.

Though, considering you have HSTS enabled, all clients which loaded or load the site on HTTPS will use HTTPS by default.

1 Like

Thank you. So, does that mean that with “Always use HTTPS” disabled, third party malicious code could hack my website via http more easily?

Compromising the site is completely unrelated to HTTPS.

What’s your encryption mode on Cloudflare? If that is not Full Strict, you actually have a security issue? If it is Full Strict, you are good to go. But do keep the HTTP redirect enabled as well.

Yes, it is Full Strict. But is there any risk (or other disadvantages) if I leave HTTP redirect (“Always use HTTPS”) disabled?

As I mentioned

Why are you asking the question in the first place?

ok. Our CPanel AutoSSL certificate renewal requires http access to work. With “Always use HTTPS” enabled, the renewal fails. I have been temporarily disabling “Always use HTTPS” at the time of renewal to allow AutoSSL to work. We have several sites, so this is a pain to manage. It would be much easier to simply leave “Always use HTTPS” disabled all the time. However, I am reluctant to leave “Always use HTTPS” disabled permanently, if it would mean compromising the sites’ security. So, are there any issues if I leave “Always use HTTPS” disabled?

The issue you mentioned is a known issue in the context of HTTP-based domain validation and it’s a bit tricky with HTTPS redirects. Page rules could be typically used, but that depends on how many page rules you still have available.

If you haven’t use any, you could disable the HTTPS redirect and set up two page rules.

  1. /path/used/for/certificate/validation with some dummy value to stop page rule evaluation here
  2. /* enabling Always Use HTTPS

If that is not an option, you could either always disable that setting whenever you need to renew the certificate, run the validation against an unproxied hostname, or use an Origin certificate instead.

The Origin certificate is probably the easiest option.

https://developers.cloudflare.com/ssl/origin-configuration/origin-ca

1 Like

I don’t think so. Forcing HTTPS does not need to be done at the cloud, though it may be convenient if it doesn’t interfere with your website functioning.

For the same reason that you mention, I have my websites on Cloudflare with Always Use HTTPS off. I set a redirect at the origin, with an exception for paths beginning with /.well-known/acme-challenge/, used by Auto SSL and Let’s Encrypt bots for renewals.

# HTTPS Redirect
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{REQUEST_FILENAME} !^/\.well-known/acme-challenge/
RewriteCond %{HTTPS} off [OR]
RewriteCond %{HTTP:X-Forwarded-Proto} !https [OR]
RewriteCond %{HTTP_HOST} ^example\.com\ [NC]
RewriteRule ^(.*)$ https://www.example.com/$1 [R=301,L]
</IfModule>
# END HTTPS

Ideally for us, Cloudflare should allow for exceptions to their Always Use HTTPS service. Ideally for Cloudflare, we should each deal with our own specific requirements using Page Rules or other of their many services.

1 Like

That is assuming the server does it.

then you won’t be on HTTPS at all.

I’m afraid I did not understand you comment.

Why did you cut “at the cloud” from my quote? That would make your own quote irrelevant here, wouldn’t it? Who’s talking about not having another redirect?

@steve.corley’s question was never about HTTPS. From his initial post:

The question was abot a specific Cloudflare service, Always Use HTTPS, one that is perfectly dispensable if a redirect is present at the origin.

Having a redirect to HTTPS at the origin is of course a much safer solution, as far as preserving encryption goes, than to occasionaly have to resort to pause AUH for the purpose of renewing certs. Pausing AUH would make all requests not redirect, and forgetting to unpause it may occasionally happen to us humans.

1 Like

The OP asked if the HTTPS redirect is necessary, not where it should be configured. If you don’t have an HTTPS redirect you’ll stay on HTTP and that possibly comes with aforementioned issues.

If you have an HTTPS redirect on the server (=another redirect) you naturally do not need an additional redirect on Cloudflare, though it minimises the roundtrips.

The point is, if you want to enforce SSL you’ll need a redirect and that’s what that feature is for. If you want to do that selectively, it’s a bit more tricky for the reason mentioned and that’s where an Origin certificate comes in handy.

Of course, you can do it server-side as well, but then that’s beyond Cloudflare of course as well.

No.

The OP’s question was:

So, I’m glad we are all agreeing that there should be an HTTPS redirect.

I am surprised you negated my statement, when you just confirmed it afterwards :wink:

All the other HTTPS settings are irrelevant if you are not on HTTPS and that’s what you need the redirect for, if you don’t have another one.

Not quite sure what you are saying.

Thank you @sandro and @cbrandt for your discussion and suggestions. I might be missing something fundamental here, but asking my question another way - why should I care if a visitor wants to use http rather than https? It’s the visitor who is choosing to take the risk if they want to use http?

If you have no preference on whether your site should be encrypted or not, then it does not matter at all.

Typically people want to make sure their site is encrypted and that’s where you need an HTTPS redirect. If that is of no concern of yours, you don’t necessarily need the redirect.

Personally, if you have your site on HTTPS, I’d probably make sure it is using HTTPS. Plus, browsers are moving towards HTTPS-only. Currently HTTP still works fine but, I believe, Chrome already has plans to display warnings for HTTP in some versions.

1 Like

The way I see it is that I am giving the visitor the choice to view over HTTP or HTTPS.

You can certainly do that, but if your site is on HTTPS, there is little point in providing such an option. HTTP is not bad per se, but it does not really have advantages over HTTPS.

So if you already serve your site on HTTPS, just make sure it is served on HTTPS.

There’s also always the issue with some parties on the line tampering with the data. Some hotel chains like to add their own HTML content.

The problem is, most visitors will not intentionally want to use a non-secure http when https is available. They typically do not include the scheme when they want to visit a website, instead going for example.com. In many browsers, especially on mobile, when users type in the address on the address bar, the first request it to http, and only if there is redirect it will go to https.

So, what would you prefer that visitors see when they visit your site? This:

image

or this:

image

Also, Google Search Engine prefers https, and, all other factors being equal, will position pages with https above results in http when users search for a keyword.

1 Like

It really is your choice and HTTP is still a perfectly fine choice and it makes it clear to the visitor that your site is not encrypted, but if you use HTTPS anyway, then you can equally enforce it.

It really is your call and if you do not want to enforce it, that’s fine.

1 Like